Aflac data breach exposed after subsidiary cyberattack

▼ Summary
– Attackers breached Aflac Japan’s systems between June 15 and June 25, 2026, stealing personal and bank account information of 4.38 million customers.
– Aflac Japan discovered the unauthorized access on June 25, 2026, and responded by suspending affected systems while continuing to serve policyholders.
– The breach is limited to Aflac Japan’s systems; U.S. business systems were not accessed.
– Aflac Japan has notified Japanese authorities and plans to notify affected individuals; the full scope and impact remain unknown.
– This incident follows a prior Aflac data breach one year ago, linked to the Scattered Spider threat group.
The insurance titan Aflac has officially confirmed a data breach affecting approximately 4.38 million customers in Japan, following a cyberattack on its subsidiary’s internal systems. The breach, which exposed personal details and bank account information, was disclosed in a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Monday.
Aflac, a Fortune 500 company and America’s leading provider of supplemental insurance, operates a vast customer base both domestically and in Japan. According to the filing, the unauthorized access occurred between June 15 and June 25, 2026, and was discovered by Aflac Japan on June 25.
“Upon identifying the unlawful access, Aflac Japan promptly took steps designed to contain the incident and prevent further intrusion, including suspending certain systems,” the company stated. Despite the disruption, Aflac Japan continues to serve its policyholders while responding to the incident.
The investigation, supported by external cybersecurity experts, has revealed that the attackers accessed files containing policy details, personal data, and bank account numbers. Aflac Japan has notified the Japan Financial Services Agency and other relevant authorities, and plans to contact all affected individuals directly.
Importantly, Aflac emphasized that the breach is confined to its Japan operations. “The Company’s systems related to its U. S. business were not accessed by the unauthorized third-party,” the filing notes. However, the full scope and potential impact of the incident remain under assessment.
This marks the second significant security incident for Aflac in as many years. In 2025, the company disclosed a separate data breach during a wave of attacks targeting U. S. insurers. While Aflac did not attribute that incident to a specific group, it bore the hallmarks of the Scattered Spider hacking collective, also known as 0ktapus, UNC3944, and Muddled Libra. That group has been linked to high-profile breaches at MGM Resorts, Caesars, DoorDash, Twilio, and Coinbase, and has collaborated with ransomware operations like Qilin, RansomHub, and DragonForce.
As of this writing, Aflac has not responded to requests for additional comment. The company continues to investigate the intrusion and work with authorities to mitigate further risks.
(Source: BleepingComputer)


